To store a trusted CA-signed TLS/SSL server certificate on the Unified Access Gateway appliance, you must convert the certificate to the correct format and use the admin UI or the PowerShell scripts to configure the certificate.

About this task

For production environments, VMware strongly recommends that you replace the default certificate as soon as possible. The default TLS/SSL server certificate that is generated when you deploy an Unified Access Gateway appliance is not signed by a trusted Certificate Authority.

Important:

Also use this procedure for periodically replacing a certificate that has been signed by a trusted CA before the certificate expires, which might be every two years.

This procedure describes how to use the REST API to replace the certificate.

Prerequisites

Unless you already have a valid TLS/SSL server certificate and its private key, obtain a new signed certificate from a Certificate Authority. When you generate a certificate signing request (CSR) to obtain a certificate, make sure that a private key is generated also. Do not generate certificates for servers using a KeyLength value under 1024.

To generate the CSR, you must know the fully qualified domain name (FQDN) that client devices will use to connect to the Unified Access Gateway appliance and the organizational unit, organization, city, state, and country to complete the Subject name.